Vendor
Ajenti
Products
2
CVEs
7
Across products
28
Status
Private
Products
2- 26 CVEs
- 2 CVEs
Recent CVEs
7| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-37002 | Cri | 0.64 | 9.8 | 0.01 | Jan 29, 2026 | Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port. | |
| CVE-2026-40177 | Hig | 0.49 | 7.5 | 0.00 | Apr 10, 2026 | ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112. | |
| CVE-2026-35175 | Med | 0.42 | 6.5 | 0.00 | Apr 6, 2026 | Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser. This vulnerability is fixed in 2.2.15. | |
| CVE-2026-40178 | Med | 0.38 | 5.9 | 0.00 | Apr 10, 2026 | ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. This vulnerability is fixed in 0.112. | |
| CVE-2026-27975 | 0.00 | — | 0.00 | Feb 26, 2026 | Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the version 2.2.13. | ||
| CVE-2014-4301 | 0.00 | — | 0.00 | Jun 18, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the respond_error function in routing.py in Eugene Pankov Ajenti before 1.2.21.7 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) resources.js or (2) resources.css in ajenti:static/, related to the traceback page. | ||
| CVE-2014-2260 | 0.00 | — | 0.00 | Apr 30, 2014 | Cross-site scripting (XSS) vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality. |